Details

The Red Hat Security Response Team has rated this update as havingimportant security impact. Common Vulnerability Scoring System (CVSS) basescores, which give detailed severity ratings, are available for eachvulnerability from the CVE links in the References section.

This JBoss Enterprise Web Platform 5.2.0 release serves as a replacementfor JBoss Enterprise Web Platform 5.1.2, and includes bug fixes andenhancements. As JBoss Enterprise Web Platform is a subset of JBossEnterprise Application Platform, refer to the JBoss Enterprise ApplicationPlatform 5.2.0 Release Notes for information on the most significant ofthese changes. The Release Notes will be available shortly fromhttps://access.redhat.com/knowledge/docs/

An attack technique against the W3C XML Encryption Standard when blockciphers were used in CBC mode could allow a remote attacker to conductchosen-ciphertext attacks, leading to the recovery of the entire plain textof a particular cryptogram. (CVE-2011-1096)

Apache CXF checked to ensure XML elements were signed or encrypted by aSupporting Token, but not whether the correct token was used. A remoteattacker could transmit confidential information without the appropriatesecurity, and potentially circumvent access controls on web servicesexposed via Apache CXF. Refer to the Solution section for details.(CVE-2012-2379)

When an application used FORM authentication, along with another componentthat calls request.setUserPrincipal() before the call toFormAuthenticator#authenticate() (such as the Single-Sign-On valve), it waspossible to bypass the security constraint checks in the FORM authenticatorby appending "/j_security_check" to the end of a URL. (CVE-2012-3546)

The JMX Console was vulnerable to CSRF attacks, allowing a remote attackerto hijack the authenticated JMX Console session of an administrator.(CVE-2011-2908)

An XSS flaw allowed a remote attacker to perform an XSS attack againstvictims using the JMX Console. (CVE-2011-4575)

SecurityAssociation.getCredential() returned the previous credential ifno security context was provided. Depending on the deployed applications,this could possibly allow a remote attacker to hijack the credentials of apreviously-authenticated user. (CVE-2012-3370)

Configuring the JMX Invoker to restrict access to users with specificroles did not actually restrict access, allowing remote attackers withvalid JMX Invoker credentials to perform JMX operations accessible toroles they are not a member of. (CVE-2012-5478)

NonManagedConnectionFactory logged the username and password in plain textwhen an exception was thrown. This could lead to the exposure ofauthentication credentials if local users had permissions to read the logfile. (CVE-2012-0034)

The JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets allowunauthenticated access by default in some profiles. The securityinterceptor's second layer of authentication prevented direct exploitationof this flaw. If the interceptor was misconfigured or inadvertentlydisabled, this flaw could lead to arbitrary code execution in the contextof the user running the JBoss server. (CVE-2012-0874)

The JGroups diagnostics service was enabled with no authentication when aJGroups channel was started, allowing attackers on the adjacent network toread diagnostic information. (CVE-2012-2377)

CallerIdentityLoginModule retained the password from the previous call if anull password was provided. In non-default configurations this couldpossibly lead to a remote attacker hijacking a previously-authenticateduser's session. (CVE-2012-3369)

Red Hat would like to thank Juraj Somorovsky of Ruhr-University Bochum forreporting CVE-2011-1096 and CVE-2011-2487; the Apache CXF project forreporting CVE-2012-2379; and Tyler Krpata for reporting CVE-2011-4575.CVE-2012-3370 and CVE-2012-3369 were discovered by Carlo de Wolf of RedHat; CVE-2012-5478 discovered by Derek Horton of Red Hat; CVE-2012-0874discovered by David Jorm of Red Hat; and CVE-2012-2377 was discovered byRed Hat.

Solution

Note: Manual action is required to apply the fix for CVE-2011-2730. If yoursystem has deployed applications which use Spring framework, the contextparameter "springJspExpressionSupport" must be set to "false" to mitigatethis flaw, for example, in the application's web.xml file. This willprevent the double-evaluation of EL expressions that led to this flaw.

CVE-2012-2379 has been addressed by disabling the affected configuration inthis release. If you use the affected configuration, an exception will bethrown and the relevant application will not deploy to the server. A patchthat allows the affected configuration to be used without thisvulnerability is available in JBoss Enterprise Application Platform 6.0.1.